Outsourcing und Data Protection Clara-Ann Gordon IAPP Workshop on Outsourcing, 9 May 2017
Subject Matter Outsourcing: depending on area different meaning and requirements However always personal data are involved: - Outsourcing of business divisions or tasks - Mandating external services - Transfer of data processing within the group or to a third party Legal Basis: - Art. 10a and 6 DPA - Cantonal Data Protection Laws: IT-Outsourcing of cantonal and communal administrations Responsibility always remains with outsourcer/controller Page 2
Applicability of Swiss Data Protection Act? Offshoring, Farshoring or Nearshoring? When does the Swiss DPA apply? - Principle of territoriality: data processing in Switzerland and access from abroad to server in Switzerland - However onwards transfer of personal data originating from Switzerland from a country abroad not subject to DPA - DPA does not apply, if personal data are directly acquired abroad (e.g. via Webserver) Caution: secrecy obligations (e.g. bank secrecy, professional secrecy obligations, etc.) or Blocking Statutes can generally prohibit the export No crossborder disclosure if personal data is anonymized or encrypted Page 3
Art. 10a DPA Article 10a DSG: Data Processing by Third Parties 1 The processing of personal data may be assigned to third parties by agreement or by law if: a. the data is processed only in the manner permitted for the instructing party itself; and b. it is not prohibited by a statutory or contractual duty of confidentiality 2 The instructing party must in particular ensure that the third party guarantees data security. 3 Third parties may claim the same justification as the instructing party. Page 4
Requirements of Art. 10a DPA Principal (Outsourcer) Mandate for data processing Third party Written agreement Subordinate relationship Processing in the same scope as the principal No adverse legal or contractual confidentiality obligations Data security Page 5
Provisions in Outsourcing Contract Required data protection clauses: - Reference to DPA provisions - Warranty of provider to comply with DPA provisions - Warranty of fulfilment of data protection claims of data subjects - Consent of controller for subcontracting by processor - Purpose definition for data processing by processor - Obligation of processor to subject its employees, auxiliary personnel, freelancers etc, to the comply with DPA provisions - Obligation of processor to comply with data security obligations Page 6
Outsourcing Privilege Benefits of Outsourcing Privilege: - Processor is not third party in the meaning of DPA - No registration requirement according to Art. 11a Abs. 3 lit. b DPA - No justification reasons necessary according to Art. 12 Abs. 2 lit. c DPA - No limitations of justification reasons according to Art. 9 Abs. 3 DPA - No obligations to inform data recipients according to Art. 7a DPA - No application of transparency principle (Art. 4 Abs. 4 DPA) and duty of information (Art. 7a DPA) Page 7
Special Questions Art. 10a DPA I Data Flows within the Holding: - Usually: transfer of data processing from one group company to another (inter-company agreements) - Question: data processing for own purposes and not for the outsourcing group company? Access of several group companies to data use however only for own purposes (Shared Service Center) Mutual ownership of data collections use however for own purposes Page 8
Special Questions Art. 10a DPA II Audit Right: - Controller is responsible for control (Oberaufsicht) - Proviso for supervision of necessary rights: Access for internal and external auditors Right to inspect infrastructure Right over type of data processing - Scope of audit right: any time or only quarterly, with or without prior notification etc. - In practice: major issue in the regulated sectors as a requirement by the authorities Page 9
Crossborder Data Processing Additionally fulfilment of requirements of Art. 6 DPA Usually requirements of Art. 10a and 6 DPA fulfilled with standard contracts Adequate protection: - Swiss Transborder Data Flow Agreement - EU-Model clauses - Privacy Shield CH Page 10
Common Problems when Outsourcing Location of Cloud? Mandating of Subproviders Outsourcing of personal data protected by law: Auxiliary personnel topic Handing back of Personal Data: - Which format? - Deal contractually with handing back formalities - Insolvency of provider / Cloud provider: no claim for handing over of personal data Page 11
Implications of revised DPA on Outsourcing? Draft Swiss DPA contains some new provisions: - Introduction of the terms controller and processor and respective duties - Duty of information extended as regards identity and contact details of controller - Controller has duty to obtain approval for engaging subprocessors - Controller has duty to obtain approval for EU model clauses Page 12
Contact Niederer Kraft & Frey Ltd Bahnhofstrasse 13 CH-8001 Zurich Switzerland Phone +41 58 800 8000 Fax +41 58 800 8080 Web http://www.nkf.ch Clara-Ann Gordon clara-ann.gordon@nkf.ch Page 13